Security protocols for processor-based systems

ABSTRACT

A processor-based system such as a wireless communication module may implement security functions in a cost effective fashion by providing a virtual memory space whose addresses may be recognized. The memory is integrated with an application processor. When those addresses are recognized, access to special security protocols may be allowed. In another embodiment, a variety of dedicated hardware cryptographic accelerators may be provided to implement security protocols in accordance with a variety of different standards. By optimizing the hardware for specific standards, greater performance may be achieved.

BACKGROUND

[0001] This invention relates generally to processor-based systems and,in particular embodiments, to processor-based systems capable ofimplementing wireless communications.

[0002] Wireless communications may be implemented by cellular telephonesas well as networked devices that use wireless protocols. Aprocessor-based system then communicates with other systems using anappropriate wireless protocol.

[0003] A number of security procedures may be implemented to enablesecure communications between two stations. In addition, it may benecessary to authenticate a given communicator to insure that thecommunicator is authorized to use the network such as a wirelesstelephone system.

[0004] Conventionally, security may be implemented through a dedicatedmodule or plug-in card that includes its own separate processor-basedsystem including a processor and memory. Conventionally calledsubscriber identity modules (SIMs), these processor-based systemsfunction relatively independently of the system in which they areembedded. They provide access to secure data such as a subscriber'sidentity. This data control is enforced by an onboard processor.

[0005] The use of a removable SIM is a relatively high cost approach.The dedicated SIM adds significantly to the cost of the electronicsystem that it serves to protect.

[0006] Software techniques may also be used to provide security inelectronic devices. Software only security solutions are subject tocompromise from coding errors, viruses, and hacker attacks.

[0007] Thus, purely hardware approaches may be subject to somedeficiencies in terms of cost and purely software approaches may besubject to deficiencies in terms of effectiveness.

[0008] Thus, there is a need for better ways to implement securityprotocols in processor-based systems, and in particular, those systemsutilized for wireless communications.

BRIEF DESCRIPTION OF THE DRAWINGS

[0009]FIG. 1 is a schematic depiction of one embodiment of the presentinvention;

[0010]FIG. 2 is a flow chart for one embodiment of the presentinvention; and

[0011]FIG. 3 is a schematic depiction of another embodiment of thepresent invention.

DETAILED DESCRIPTION

[0012] Referring to FIG. 1, a processor-based system 10 may beimplemented, in one embodiment, as a wireless communication device. Twoexamples of such wireless communication devices include cellulartelephones and networked devices, which communicate by a radio frequencysignal.

[0013] An internal bus 16 couples a baseband processor 12 to a memoryarray 14. A digital signal processor 18 is also coupled to the bus 16 inone embodiment. In one embodiment, the digital signal processor 18 mayinclude its own memory array 22 coupled to the processor 18 via a bus20.

[0014] In one embodiment, a subscriber identity module is not utilizedand instead, the security functions normally implemented through asubscriber identity module may be embedded within an applicationprocessor 25. Thus, a single integrated circuit may accomplish anapplication processing function and a subscriber identity module (SIM)function.

[0015] In general, an application processor 25 handles applications notdirectly involved in baseband operations. The application processor 25may have embedded storage 24 that may include a virtual SIM 24 a thatmay be a range of addresses dedicated to the SIM functions. In someembodiments, other components such as the baseband processor 12 may beintegrated with the application processor 25. Thus, in some embodiments,the virtual subscriber identity module 24 includes an access-restricted,dedicated range of addresses in a memory space 24.

[0016] In some cases, the virtual SIM 24 a may store software thatimplements user authentication, digital signatures, and the securityprotocols for mobile commerce transactions as well as implementing theSIM functions. In some cases, dedicated hardware or a control logic maybe used with the virtual SIM 24 a and in other cases, the applicationprocessor 25 may control the virtual SIM 24 a.

[0017] By integrating the virtual SIM 24 with the application processor25, the ability to hack or corrupt the SIM functions may be reduced. Inaddition, the overall system 10 may be made in smaller sizes and havereduced power consumption in some embodiments.

[0018] In some cases, the memory 24 may be formed of a nonvolatilememory such as flash memory. In other cases, a volatile memory such asrandom access memory may be used together with a battery. In any case,the virtual SIM 24 a address range within the memory 24 is physicallyintegrated with the application processor 25. In such case, theapplication processor 25 may service the virtual SIM 24 a as it does therest of the memory 24. Access to the virtual SIM 24 a may be controlledso that only certain applications can access the address rangerepresented by the virtual SIM 24 a.

[0019] Referring to FIG. 2, the virtual SIM software 50 implements thevirtual subscriber identity module functions. In short, the software 50identifies particular instructions as bearing on particular addresses.If those addresses correspond to the space dedicated for securityprotocols, special privileges may be granted. In all other cases, accessto security protocols may be precluded.

[0020] When an instruction is received as indicated at block 52, it ischecked as indicated in diamond 54 to see if it relates to addresses inthe dedicated virtual SIM space 25. If so, access may be granted for theinstruction to various cryptographic features as indicated in block 56.Otherwise access privileges are not provided.

[0021] In some cases, the access to the security privileges may beimplemented by providing an appropriate code word to the instruction. Inother cases, the instruction may be allowed to access various hardwareand software features of the system 10 to implement cryptographicfunctions.

[0022] Thus, in some embodiments, both secure and non-secure processesmay utilize the same processing hardware, such as the baseband processor12 and digital signal processor 18. If, in some embodiments, the virtualSIM implementation is not wholly software based it may not requirededicated hardware and as a result may be a more cost effectivesolution.

[0023] Referring to FIG. 3, another processor-based system 10 a mayinclude a baseband processor 12, a memory array 14, an internal bus 16,a digital signal processor 18, a digital signal processor bus 20, and amemory array 22 in some embodiments. Coupled to the internal bus 16 isan array of hardware cryptographic accelerators 26. For example, a DataEncryption Standard (DES) algorithm accelerator 30 a (See NationalBureau of Standards NBS FIPS PUB 46, “Data Encryption Standard”,National Bureau of Standards, U.S. Dept. of Commerce, January 1977), anAdvanced Encryption Standard (AES) (See J. Daemen, V. Rigmen, “The BlockCipher Rijndael,” Smart Card Research and Applications, LNCS 1820, J.-J.Quisquater and B. Schneier, Eds., Springer-Verlag, 2000, pp. 286-296) orRijndael algorithm accelerator 30 b, a RSA algorithm accelerator 30 f(See R. L. Rivest, A. Shamir and L. M. Adleman, “A Method for ObtainingDigital Signatures and Public-Key Cryptosystems” Communications of theACM, v. 21, n. 2, February 1978, pp. 120-6.), a Securing Hash Algorithm,(SHA-1) accelerator 30 e (See National Bureau of Standards andTechnology, NIST FIPS PUB 186, “Digital Signature Standard” U.S.Department of Commerce, May 1994), a Message Digest 5 (MD5) algorithmaccelerator 30 d (See R. L. Rivest, “The MD5 Message Digest Algorithm”,RFC 1320, April 1992) may be included as well as additional algorithmaccelerators 30 c. Thus, the array 26 may include a wide variety ofhardware based security algorithm accelerators including one way hashfunction (SHA-land MD5). The system may use the virtual subscriberidentity module 25 described with respect to the previous embodiments aswell.

[0024] Because each accelerator 30 in the array 26 is dedicated to aspecial purpose, its performance for a particular standard may beoptimized. The control of each accelerator in the array 26 may becontrolled by one of the processors 12 or 18. In some embodiments, thearray 26 may be integrated on a single integrated circuit.

[0025] Using symmetric, asymmetric, hashing and privacy algorithms, avariety of security protocols can be serviced by the array 26 ofaccelerators 30.

[0026] While the present invention has been described with respect to alimited number of embodiments, those skilled in the art will appreciatenumerous modifications and variations therefrom. It is intended that theappended claims cover all such modifications and variations as fallwithin the true spirit and scope of this present invention.

What is claimed is:
 1. A method comprising: integrating an applicationprocessor with a storage; establishing a virtual memory space in saidstorage; detecting instructions directed to said memory space; andgranting instructions directed to said memory space access tocryptographic functions.
 2. The method of claim 1 including assigning anaddress range to said virtual memory space.
 3. The method of claim 1including detecting instructions directed to said memory space bycomparing the addresses of said instructions to the addressescorresponding to said virtual memory space.
 4. The method of claim 1including allowing only instructions addressed to said memory space toaccess said cryptographic functions.
 5. The method of claim 1 includingproviding separate cryptographic accelerators for a plurality ofcryptographic techniques.
 6. The method of claim 5 including providing adata encryption standard algorithm accelerator.
 7. The method of claim 6including providing a Rijndael algorithm accelerator.
 8. The method ofclaim 5 including providing at least three different hardwarecryptographic algorithm accelerators.
 9. The method of claim 8 includingproviding said cryptographic accelerators on the same integratedcircuit.
 10. An article comprising a medium storing instructions thatenable a processor-based system to: establish a virtual memory space onan integrated circuit including an application processor; detectinstructions directed to said memory space; and grant instructionsdirected to said memory space access to cryptographic functions.
 11. Thearticle of claim 10 further storing instructions that enable theprocessor-based system to assign an address range to a virtual memoryspace.
 12. The article of claim 10 further storing instructions thatenable the processor-based system to detect instructions directed tosaid memory space by comparing the addresses of said instructions to theaddresses corresponding to said virtual memory space.
 13. The article ofclaim 10 further storing instructions that enable the processor-basedsystem to allow only instructions addressed to said memory space toaccess said cryptographic functions.
 14. The article of claim 10 furtherstoring instructions that enable the processor-based system to provideseparate cryptographic accelerators for a plurality of cryptographictechniques.
 15. The article of claim 14 further storing instructionsthat enable the processor-based system to complete a cellular wirelesstelephone call.
 16. A system comprising: an integrated circuit; anapplication processor formed on said integrated circuit; a storageincluding a virtual memory space formed on said integrated circuit; anda device to detect instructions directed to said virtual memory spaceand to grant instructions directed to said virtual memory space accessto cryptographic functions.
 17. The system of claim 16 wherein saidsystem is a wireless cellular telephone.
 18. The system of claim 16wherein said virtual memory space is associated with an address range insaid storage.
 19. The device of claim 16 wherein said device is theapplication processor.
 20. The system of claim 16 wherein said devicedetects instructions directed to said memory space by comparing theaddresses of said instructions to the addresses corresponding to saidvirtual memory space.
 21. The system of claim 16 wherein said deviceonly allows instructions directed to said memory space to accesscryptographic functions.
 22. The system of claim 16 including aplurality of cryptographic accelerators each for different cryptographictechniques.
 23. The system of claim 22 including a data encryptionstandard algorithm accelerator.
 24. The system of claim 23 including aRijndael algorithm accelerator.
 25. The system of claim 23 including atleast three different hardware cryptographic algorithm accelerators. 26.The system of claim 25 including an integrated circuit including all ofsaid cryptographic accelerators.
 27. The system of claim 19 including abaseband processor integrated on said integrated circuit.